Iptables is a powerful firewall built into the Linux kernel and is part of the netfilter project. It can be configured directly, or by using one of the many frontends and GUIs. iptables is used for IPv4 and ip6tables is used for IPv6.

Chains

Tables contain chains, which are lists of rules for packets that are followed in order. The default table filter contains three built-in chains: INPUT, OUTPUT and FORWARD.

Inbound traffic addressed to the machine itself hits the INPUT chain.

Outbound, locally-generated traffic hits the OUTPUT chain.

Routed traffic which should not be delivered locally hits the FORWARD chain.

See man 8 iptables for a description of built-in chains in other tables.

User-defined chains can be added to make rulesets more efficient.

Built-in chains have a default target, which is used if no rules are hit. Neither built-in nor user-defined chains can be a default target.

Rules

The packet filtering is based on rules, which are specified by multiple matches (conditions the packet must satisfy so that the rule can be applied), and one target (action taken when the packet matches all condition). While individual conditions are usually very simple, the full rule specification can be very complex.

Targets are specified using the -j or --jump option. Targets can be either user-defined chains, one of the special built-in targets, or a target extension. Built-in targets are ACCEPT, DROP, QUEUE and RETURN, target extensions are for example REJECT and LOG. If the target is a built-in target, the fate of the packet is decided immediately and processing of the packet in current table is stopped. If the target is a user-defined chain and the packet passes successfully through this second chain, it will move to the next rule in the original chain. Target extensions can be either terminating (as built-in targets) or non-terminating (as user-defined chains), see man 8 iptables-extensions for details.

Modules

There are many modules which can be used to extend iptables such as connlimit, conntrack, limit and recent. These modules add extra functionality to allow complex filtering rules.

Configuration

From the command line

Showing the current rules

You can check the current ruleset and the number of hits per rule by using the command:

If the output looks like the above, then there are no rules. Nothing is blocked.

To show the line numbers when listing rules, append --line-numbers to that input. This is useful when deleting and adding individual rules.

Editing rules

Rules can be added either by appending a rule to a chain or inserting them at a specific position on the chain. We will explore both methods here.

First of all, our computer is not a router (unless, of course, it is a router). We want to change the default policy on the FORWARD chain from ACCEPT to DROP.

# iptables -P FORWARD DROP

Warning: The rest of this section is meant to teach the syntax and concepts behind iptables rules. It is not intended as a means for securing servers. For improving the security of your system, see Simple Stateful Firewall for a minimally secure iptables configuration and Security for hardening Arch Linux in general.

The Dropbox LAN sync feature broadcasts packets every 30 seconds to all computers it can see. If we happen to be on a LAN with Dropbox clients and do not use this feature, then we might wish to reject those packets.

Note: We use REJECT rather than DROP here, because RFC 1122 3.3.8 requires hosts return ICMP errors whenever possible, instead of dropping packets. In reality, it is best to REJECT packets from hosts who should know about your server's existence, and DROP packets from hosts who should not even know your server exists, or those who appear "up to something".

Now, say we change our mind about Dropbox and decide to install it on our computer. We also want to LAN sync, but only with one particular IP on our network. So we should use -R to replace our old rule. Where 10.0.0.85 is our other IP:

We have now replaced our original rule with one that allows 10.0.0.85 to access port 17500 on our computer. But now we realize that this is not scalable. If our friendly Dropbox user is attempting to access port 17500 on our device, we should allow him immediately, not test him against any firewall rules that might come afterwards!

So we write a new rule to allow our trusted user immediately. Using -I to insert the new rule before our old one:

Guides

Logging

The LOG target can be used to log packets that hit a rule. Unlike other targets like ACCEPT or DROP, the packet will continue moving through the chain after hitting a LOG target. This means that in order to enable logging for all dropped packets, you would have to add a duplicate LOG rule before each DROP rule. Since this reduces efficiency and makes things less simple, a logdrop chain can be created instead.

Limiting log rate

The limit module should be used to prevent your iptables log from growing too large or causing needless hard drive writes. Without limiting, an attacker could fill your drive (or at least your /var partition) by causing writes to the iptables log.

-m limit is used to call on the limit module. You can then use --limit to set an average rate and --limit-burst to set an initial burst rate. Example:

-A logdrop -m limit --limit 5/m --limit-burst 10 -j LOG

This appends a rule to the logdrop chain which will log all packets that pass through it. The first 10 packets will the be logged, and from then on only 5 packets per minute will be logged. The "limit burst" is restored by one every time the "limit rate" is not broken.